Back to skill

Security audit

Alibabacloud Vms Smart Call By Tts

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate Alibaba Cloud voice-calling purpose, but it can place real AI-generated outbound calls without a final confirmation and makes persistent local CLI changes.

Review before installing. Use a least-privilege RAM user limited to dyvms:SubmitIntent and dyvms:QueryCallDetailByCallId, avoid root or broad cloud credentials, require an explicit final confirmation before every call, and review the installer before running it so it does not unexpectedly modify shell startup files or replace CLI plugins.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exercises high-risk capabilities (shell, network, env, file reads) but does not declare permissions up front, which prevents meaningful consent and policy enforcement before execution. In this context, the skill can install software, read local credential configuration, and place real outbound calls, so undeclared capabilities materially increase the chance of surprising or unsafe execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates the true behavior: beyond placing voice calls, the skill can modify the local environment, install or replace CLI plugins, access local Alibaba Cloud credential material through helper flows, and expose a more generic RPC path. This mismatch is dangerous because operators may authorize a seemingly narrow calling skill without realizing it can alter the system and use broader cloud API capabilities.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide goes far beyond what a VMS smart-call skill needs by teaching general-purpose Alibaba Cloud authentication modes, profile management, and service usage patterns. In an agent-skill context, this unnecessarily broadens the operator's cloud access and increases the chance the skill is used with over-privileged credentials unrelated to voice-calling.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Using ECS APIs such as `ecs describe-regions` as the default authentication and debugging path is unrelated to a smart voice-call workflow and trains users to grant and test permissions against another service. This expands blast radius and can normalize broader cloud access than the skill actually needs.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The recommendation to install plugins such as ECS, VPC, and RDS and explore unrelated commands is not justified by the skill's purpose. Even if not directly exploitable, it encourages broader administrative capability and widens the operational surface around a narrowly scoped voice-call skill.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad triggers such as everyday-language phrases can cause accidental activation of a skill that places real AI-generated outbound calls. Because the action has side effects outside the system boundary and may contact real people, unintended invocation can lead to privacy, harassment, or operational incidents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The introductory description does not prominently warn that the skill will place real outbound AI-generated calls to matched contacts. For a skill with real-world external actions, insufficient upfront disclosure increases the risk of users invoking it without understanding the consequence or scope of automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document shows commands that place access keys and secrets directly on the command line and persist them to local configuration without prominently warning about shell history, process-list exposure, and local secret storage. In agent, CI, or shared-host environments, this can leak long-lived cloud credentials and lead to full account misuse within the granted permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Exporting access keys and tokens as environment variables without strong cautions is risky because they may be exposed through debug output, crash reports, CI logs, subprocess inheritance, or host inspection. For a skill intended to automate cloud actions, this creates a realistic credential leakage path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to run a privileged recursive ownership change over ~/.aliyun using sudo, but does not clearly warn about the risks of changing file ownership or advise users to verify the target path before execution. In an agent or sandboxed context, operational docs can be surfaced and executed mechanically, so even a narrowly scoped sudo command can cause unintended permission changes or normalize unsafe privilege escalation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persistently modifies the user's shell startup files (.zshrc and .bashrc) to prepend $HOME/.local/bin to PATH without explicit consent or a clear user-facing prompt. While not overtly malicious, silently changing login shell behavior is a security-relevant persistence action that can surprise users, affect future command resolution, and create opportunities for unintended execution of user-writable binaries.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## 5. Parameter Confirmation

> **IMPORTANT: Parameter Confirmation** — Before executing the API call,
> confirm the user's **intent** (who to call + what to convey). If the user's message already makes both clear, no confirmation is needed — proceed directly.
> Do NOT iterate on wording or draft the spoken text — `UserMessage` is an intent description,
> not the final playback script; the server-side LLM generates the actual spoken content (`Model.CallContent`).
Confidence
96% confidence
Finding
no confirmation

Session Persistence

Medium
Category
Rogue Agent
Content
Plugin aliyun-cli-dyvmsapi 0.1.0 installed successfully!
```

> If the output reads `plugin "aliyun-cli-dyvmsapi" is already installed (version X.Y.Z); continuing will replace it with version 0.1.0` → **expected behavior** (overwrite install). Let it finish.
>
> If the output reads `ERROR: invalid flag source-base` → **CLI version is < 3.3.8** and does not understand the flag. Re-run the **environment-aware fallback chain in §1.1** (it auto-picks brew / system-wide / user-level upgrade) to upgrade, then retry §1.3. **[FORBIDDEN]** It is strictly forbidden to switch to §1.alt due to this error — this is a tooling-version issue, not a network issue. The external fallback is reserved for `no such host` / `connection timeout` only.
>
Confidence
80% confidence
Finding
write install). Let it finish. > > If the output reads `ERROR: invalid flag source-base` → **CLI version is < 3.3.8** and does not understand the flag. Re-run the **environment-aware fallback chain in

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.